asp.net-mvcasp.net-identitysaml-2.0acsws-federation

Ws-Federation Authentication in MVC not keeping Claims information after SAML2.0 verification

I'm trying to add a new auth method with Azure ACS to support users from an ADFS but I'm having a very specific issue.

I'm able to validate the SAML2.0 with the following config:

var audienceRestriction = new AudienceRestriction(AudienceUriMode.Never);
var issuerRegistry = new ConfigurationBasedIssuerNameRegistry();
issuerRegistry.AddTrustedIssuer("XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "https://XXXX.accesscontrol.windows.net/");
app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions
{
    MetadataAddress = "https://XXXXX.accesscontrol.windows.net/federationmetadata/2007-06/federationmetadata.xml",
    Wtrealm = "http://someurl/",
    SecurityTokenHandlers = new SecurityTokenHandlerCollection
    {
        new EncryptedSecurityTokenHandlerEx(new X509CertificateStoreTokenResolver(StoreName.My,StoreLocation.LocalMachine)),
        new SamlSecurityTokenHandlerEx
        {
            CertificateValidator = X509CertificateValidator.None,
            Configuration = new SecurityTokenHandlerConfiguration()
            {
                IssuerNameRegistry = issuerRegistry,
                AudienceRestriction = audienceRestriction
            }
        }
    },
});

With the handler implemented like this:

public class SamlSecurityTokenHandlerEx : Saml2SecurityTokenHandler, ISecurityTokenValidator
{
    public override bool CanReadToken(string securityToken)
    {
        return base.CanReadToken(XmlReader.Create(new StringReader(securityToken)));
    }

    public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters,
        out SecurityToken validatedToken)
    {
        validatedToken = ReadToken(new XmlTextReader(new StringReader(securityToken)), Configuration.ServiceTokenResolver);
        var claims = new ClaimsPrincipal(ValidateToken(validatedToken));

        return claims;
    }

    public int MaximumTokenSizeInBytes { get; set; }
}

If I inspect the claims in the ValidateToken it is authenticated and with the claims I want but after it calls the callback page (where I want to create a new proper login for the webapp) It no longer has any information about the Federated auth.

Solution

  • Solved!

    I was launching the ACS page from the same mechanism as the other external auth providers but for some reason it was failing. Calling the ACS login page (https://someacs.accesscontrol.windows.net:443/v2/wsfederation?wa=wsignin1.0&wtrealm=https%3a%2f%2fsomeappsite%2f) directly solved my issue.